Unwanted Hotel Guests: Russia's Fancy Bear

Experts have long warned that connecting to unknown networks is potentially risky since those who have access to one can spy on traffic. Now FireEye says new research has uncovered signs of a stealthy attack that is intended to steal authentication credentials from hotel patrons' computers.

The attack leaves virtually no traces and is almost impossible to stop, says Bryce Boland, FireEye's Asia-Pacific CTO.

"There's no evidence that there was any kind of compromise at all," Boland says. "From an attacker perspective, it's wonderful. They get to steal credentials, and they get to do it in a way that leaves no forensic evidence on the victim's computer."

The group behind the attack is a familiar one: APT28, also known as Fancy Bear, the bold Russian group blamed for the attacks against the Democratic National Committee, the World Anti-Doping Association and many others (see Hackers Dump US Olympic Athletes' Drug-Testing Results).

FireEye says Fancy Bear is recycling a leaked NSA exploit, EternalBlue, which was used in two recent devastating ransomware attacks. The group is also using a tool developed by a security company to take advantage of a Windows redundancy feature, the NetBIOS Name Service, to trick machines into divulging login credentials.

Although both attack methods are well known, it shows that APT28 continues to expand its capabilities and tactics, FireEye analysts Lindsay Smith and Ben Read write in a blog post.

EternalBlue, Again

FireEye says the investigation kicked off when it detected a spear-phishing campaign against the hospitality industry in seven European countries and one in the Middle East.

The emails contained a malicious Microsoft Word document with a macro that tries to install a standard APT28 backdoor called GAMEFISH, also known as Sednit, Seduploader, JHUHUGIT and Sofacy.

Once inside a hotel's network, APT28 seeks to embed itself in the machines that control corporate and guest Wi-Fi networks. To move through a hotel's network, APT28 uses EternalBlue, an exploit that targets a vulnerability in the Windows server message block (SMB) version 1 file-sharing protocol.

In April, a group called The Shadow Brokers leaked the exploit and vulnerability, which is believed to have come from the National Security Agency. Microsoft patched the flaw in March. But the exploit embraced by attackers in the back-to-back WannaCry and NotPetya ransomware attacks, which showed many organizations still had not patched (see Ransomware Smackdown: NotPetya Not as Bad as WannaCry).

NetBIOS Poisoning

Once APT28 has its hooks in a hotel's network, it then tries to grab authentication credentials stored for various services on guests' computers.

When a Windows computer connects to any network, it automatically tries to re-establish connections to resources, such as a printer, that it usually expects to find, say, when someone is at the office, Boland says.

This is where APT28 jumps in. When a Windows machine starts asking where certain resources are, it will first query DNS. If DNS isn't available, it can ask other machines on the local network to give it the answer via the NetBIOS Name Service.

A malicious machine can falsely claim it is that particular service, causing the querying machine to send it its hashed credentials. It's an attack known as NetBIOS Name Service poisoning.

APT28 doesn't reinvent the wheel. To execute the poisoning attack, it's using Responder, a penetration testing tool developed by Trustwave's SpiderLabs, according to FireEye.

Boland says it is possible for an attacker to capture a large number of credentials from machines. Users are unaware that this is happening, and there are no artifacts left on the compromised machine.

Attackers then have to crack the hashed credentials. But when that's done, they could connect back to the workstation. But FireEye believes the attackers are then using the credentials to connect to the victim's home network.

Defense? There Isn't One

The tricky part of this attack is that there's no good defense aside from not connecting to an untrusted hotel network. The attack can be executed before a secure VPN connection can be made, Boland says.

"You're racing against your computer trying to reconnect network resources when it sees that it has an active internet connection versus getting your VPN established," Boland says. "The reality is as soon as you connect to that hotel network Wi-Fi, this NetBIOS name server man-in-the-middle attack using Responder will work."

One option is to disable NetBIOS Name Service, which is usually enabled by default on services and devices. But Boland says if organizations have not architected their Microsoft services to avoid using NetBIOS, it could potentially cause significant disruptions if flicked off.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.